OpenSSL to Patch Critical Mystery Bug on Thursday

OpenSSL to Patch Critical Mystery Bug on Thursday

The OpenSSL project team has sent a rather cryptic alert that it will be patching a high severity bug this Thursday, July 9.

The announcement is terse: “The OpenSSL project team would like to announce the forthcoming release of OpenSSL versions 1.0.2d and 1.0.1p. These releases will be made available on 9th July. They will fix a single security defect classified as "high" severity.  This defect does not affect the 1.0.0 or 0.9.8 releases.”

Unfortunately, the mystery bug is likely to be a big deal. OpenSSL is a security standard encrypting communications between users and the servers provided by a majority of online services. As such, it’s a basic component of a wide swath of the web, affecting various applications and systems, and even embedded devices. That’s one of the reasons why the Heartbleed flaw took months and months to patch even after an update was released.

Heartbleed, a mistake written into OpenSSL, made it viable for hackers to extract data from massive databases containing user names, passwords, private data and so on.

According to OpenSSL’s security policy, “high-severity” flaws are those that affect common configurations and are likely to be exploitable. These can range from server denial-of-service to significant leak of server memory to remote code execution.

“This type of a pre-announcement is intended to give organizations a chance to prepare,” Tim Erlin, director of IT security and risk strategy at Tripwire, said via email. “A huge part of the heartburn with Heartbleed came from the scramble to identify where organizations were vulnerable and how to apply patches. In this case, a little organization can go a long way to a smoother patching cycle. Software vendors who use OpenSSL can be prepared to patch their code and ship new versions faster, and end-users can inventory where they have OpenSSL and set up appropriate testing environments ahead of time.”


Iran blocks encrypted messaging apps amid nationwide protests

For the past six days, citizens have taken to the streets across Iran, protesting government oppression and the rising cost of goods. Video broadcasts from the country have shown increasingly intense clashes between protesters and riot police, with as many as 21 people estimated to have died since the protests began. But a complex fight ...

Bitcoin Exchange Has Been Forced to Close After Second Cyber-Attack

A South Korean Bitcoin exchange has been forced to close after suffering another major cyber-attack. Youbit claimed it was “very sorry” but has filed for bankruptcy after it suffered the cyber-attack, less than eight months after the first. In a statement in Korean on its homepage the firm said it had lost 17% of its ...

It is difficult for the FBI to crack most smartphone encryption

The FBI is struggling to decode private messages on phones and other mobile devices that could contain key criminal evidence, and the agency failed to access data more than half of the times it tried during the last fiscal year, FBI Director Christopher Wray told House lawmakers. Wray will testify at the House Judiciary Committee ...

Texas Church Shooting: More Calls for Encryption Backdoors

US Deputy Attorney General, Rod Rosenstein, has decided to use the recent mass shooting at a Texas church to reiterate calls for encryption backdoors to help law enforcers. The incident took place at the First Baptist Church in Sutherland Springs, killing at least 26 people. Deceased suspect Devin Kelley’s mobile phone is now in the ...